Norton Gets a Bit Less Secure

November 30, 2005

What's the newest security threat lurking on your PC? It's not the spam sitting in your inbox luring you to fake Web sites. Or the keystroke-logging malware recording your passwords. It's holes in the software designed to protect you from all that.

It's true: Hackers, bored with attacking Microsoft (MSFT), are going after Symantec (SYMC), whose Norton products are the first line of defense on 50 million PCs worldwide. Says Ralph Echemendia, an info-tech security instructor at Vigilar's Intense School, a Fort Lauderdale security training institute: "They've become a new target."

That's bad news for a company trying to differentiate itself from rivals -- including Microsoft, which rolled out two security products on Nov. 29 -- by positioning itself as a premium brand that charges top dollar. "The danger is you turn off consumers," says Andrew Jaquith of market researcher Yankee Group.

INVITING TARGET. How big is the threat to Symantec and its customers? Already, hackers are bypassing or disabling Symantec software in their efforts to access personal information or spread viruses and worms. And there's mounting evidence that hackers are trying to use Symantec software as an actual gateway into corporate servers and PCs. A Nov. 22 report by the SANS Institute, a computer-security watchdog, showed a tenfold increase in attempts to exploit a flaw in a Symantec data-protection program after it was disclosed in May.

Symantec's ubiquity -- a 64% share of the consumer antivirus market -- has made it a prime target. By contrast, rival McAfee (MFE), with just 15.7% of the market, according to IDC Research, is experiencing fewer attacks. At the same time, hackers are becoming increasingly sophisticated.

Exhibit A: Golden Hacker Defender Forever, Web-based software that promises to cloak any malicious code so that it won't be found by leading antivirus packages. For an extra $125, hackers can even buy "antivirus support," regular updates to the cloaking code designed to stay one step ahead of similar hacker-fighting updates put out by Symantec and others.

"LIKE FIREFIGHTERS." Symantec contends it has the wherewithal to take on the hackers. The company has more than 100 researchers combing cyberspace to figure out where hackers are going next and how to protect its customers. "The issue is, when a vulnerability [is found], how quickly do you respond?" says Symantec Chairman and CEO John Thompson. "If by some quirk of fate we discover a problem, like firefighters we move quickly to address it." Symantec sends out patches within 28 hours of a vulnerability being exposed, which compares favorably with an average of 51 days for most software firms.

But in a world of industrial-scale hacking, that might not be fast enough. According to AV-Test.org, a German virus tracker, Symantec's average response time for the 12 major virus outbreaks during the first half of 2005 was 10 hours, 48 minutes. McAfee scored slightly better with 9 hours, 29 minutes. F-Secure, a Finnish security firm, took 2 hours, 37 minutes. "[A few hours] make a world of difference," says F-Secure President and Chief Executive Risto Siilasmaa. "Viruses infect PCs exponentially."

The threat arrives at a time when Symantec is under unprecedented pressure. While the company continues to sell most of its consumer products through computer stores, late last year McAfee and other rivals began distributing their software through Internet service providers, which give it to subscribers for free.

MAINTAINING AN EDGE? Microsoft's entry into the market is sure to up the price pressure. In an attempt to diversify beyond the increasingly competitive security business, Symantec a year ago bought storage-software maker Veritas. But many investors viewed the $10 billion acquisition as an awkward fit. That perception, and Symantec's warning on Nov. 1 that revenues in fiscal '06 would be lower than expected, have battered the stock, which, at about $18, is 47% off its 52-week high (see BW Online, 11/03/05, "Symantec: From Stumble to Stagger?").

CEO Thompson vows not to be drawn into a price war. Let McAfee target customers lacking even the most basic antivirus software, he says. Symantec is focusing on a more sophisticated suite of security products with fatter margins. But customers will only keep paying up if Symantec is seen as the premier brand. If hackers continue their onslaught, security vulnerabilities could be the least of Thompson's problems.